> -----Original Message----- > From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, March 03, 2004 10:21 AM > To: Paul Harlow > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Allowing FTP and internal but nothing else > > > Le mer 03/03/2004 à 17:55, Paul Harlow a écrit : > > I have an FTP server that I would like to filter out all external > > traffic except ftp and ftp-data. This same server has an internal > > interface that I would like to allow everything on the > inside to have > > access to. Given what I've read I have come up with this > general idea > > of what to put into a filter table for now. Please let me know what > > your gurus of netfilter think. > > I am not a guru, but I do think you should read docs... See http://www.netfilter.org/ documentation section (HOWTOs and tutorials). > iptables -I INPUT -i eth0 -j ACCEPT > iptables -I INPUT -i eth1 -d port 21 -j ACCEPT > iptables -I INPUT -i eth1 -d port 20 -j ACCEPT > iptables -I INPUT -i eth1 -j deny It won't work at all. Firstly, -I inserts rule at top of chain. This the first rule for eth1 will be the "deny all" one (your last rule). So FTP won't work. Secondly, your FTP description is nor exact nor functional. TCP/20 is used as source by FTP server for active data transfert, so you do not need to open it in INPUT. But for passive data transfert, you need to open all unpriviledge ports range (1024:65535) to accept data connection from client. And thirdly, "deny" is not a valid target for iptables. You have to use DROP. Netfilter is stateful and can handle FTP using conntrack. So use it : iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 21 \ -j ACCEPT This will be enough to handle the full FTP session. To me, the full ruleset to achieve what you want should be : iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 \ --syn -j ACCEPT -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! Thanks! As I said I'm severly new to IPTables so it's all expirementation now and I would never have been able to come up with your last lines here. I have used www.netfilter.org to get where I am this far. My question about your "full ruleset" of: iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 --syn -j ACCEPT This doesn't appear to cover TCP port 20 for ftp-data conns. Or would that be covered by the RELATED tag? Thanks again.
